By AJ Shipley
In my previous blog post, I covered the importance of having security built in and not bolted on. In this blog post, I’ll outline the top five key variables that are influencing how we approach device security — a topic particularly top of mind as I spend this week at the RSA Conference.
1. Connectivity to the enterprise and cloud. Historically, embedded devices, while network connected, operated on proprietary protocols and dedicated networks. A “great wall” so to speak, existed between the networks that powered our critical infrastructure, for example, and the networks that powered our enterprises. However, due to the pervasive nature of Ethernet there is a desire now to leverage all of the security expertise that we have gained over the past 20 years deploying commercial grade enterprise networks and apply it to our embedded systems — and then extend this when connecting to the cloud. Herein lays the potential for huge productivity gains by leveraging the same infrastructure to collect data, analyze it, manage and update our devices, etc. Along with the potential productivity gains comes the reality that we are now exposing our embedded devices to threats that they have never had to deal with before and probably aren’t suited to handle in the same manner that our enterprise infrastructure is.
2. Vertical integration. We’ve seen Apple do this masterfully for years by controlling both the hardware and the software of their devices, and this same trend is now taking place across multiple industries. Microsoft is getting into the game with its new “Surface” tablet and other operating systems designed to function on more mobile devices. You also have traditional “hardware” or “silicon” vendors who are reaching up into the software stack and building more complex “software” features into the hardware. So you have an environment where the lines between hardware, software, and application are blurring significantly. Effective security, which requires multiple layers that are built in to the device, must now take into account the tighter relationship between hardware, software, applications, and infrastructure.
3. Complex regulatory environment. It’s no secret that we are operating under an increasingly complex regulatory environment. Typically each industry has its own set of regulations that products must meet prior to operation. The interesting thing is that functionally, the majorities of these requirements are the same and can be met with similar approaches, however, identifying what specific regulation that a particular product or industry is governed by, and keeping pace with the changes is adding additional stresses to embedded device security.
4. Secure supply chain challenges. Supply chain challenges are not new, but securing the supply chain is often times an afterthought. The location of manufacturer, depending on the industry that you are operating in, can have significant repercussions on how and what security mechanisms must be in place. Furthermore, the potential to impact the end devices or infrastructure by attacking non-manufacturing supply chain partners, like certificate authorities, domain name servers, or security vendors is a threat vector that is often times overlooked.
5. Safety and security. Finally, from an embedded perspective, for a number of years the primary concern was the safety of the systems and making sure that we were protected from them in the event of a failure. Now security has come to the forefront, which shouldn’t be a surprise because safety and security are really just different sides of the same coin. Safety is about protecting the world from the devices, and security is about protecting the devices from the world.
The organization that can assimilate, process, and make sense of these disparate factors, and understand the inherent security tradeoffs that must be made to be successful as a commercial entity will leapfrog their competition while at the same time staying off the front page because of a security lapse.
In my next blog post, I’ll discuss the two points of view from which I approach security and security decisions – the secure platform vs. the secure infrastructure, as well as touch on key takeaways from RSA…stay tuned.
For additional information from Wind River, visit us on Facebook.